On the FreeBSD stable mailing list a posting about a compromised FreeBSD box, led to an interesting discussion about boxes being hammered with SSH probes.

One of the participants posted a list of about 40 hosts which probed his box for weak passwords using SSH.

Several years, when my wife was in another country, I enabled SSH access so she could use fetchmail and pine to read her mail.
Opening port 22 on my firewall of course triggered the same SSH probes. To some of these hosts I could telnet and some after displaying their RedHat login banner prompted me for a login name.

Reading the freebsd-stable discussion I wondered what kind of boxes are initiating these annoying login attempts.

The OpenBSD 'nc' man page shows a simple way to get a box to display the login banner.

Code:

PORT SCANNING
It may be useful to know which ports are open and running services on a
target machine. The -z flag can be used to tell nc to report open ports,
rather than initiate a connection. For example:
$ nc -z host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!
The port range was specified to limit the search to ports 20 - 30.
Alternatively, it might be useful to know which server software is run-
ning, and which versions. This information is often contained within the
greeting banners. In order to retrieve these, it is necessary to first
make a connection, and then break the connection when the banner has been
retrieved. This can be accomplished by specifying a small timeout with
the -w flag, or perhaps by issuing a "QUIT" command to the server:
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready